Wary customers shun businesses after data breaches

UK costs still on rise, finds survey

Data breaches cost UK businesses more than ever last year, with most of the financial hit resulting from lost business in the aftermath of an incident, a Ponemon Institute survey for Symantec has found.

The average cost of a data breach for the 38 large businesses surveyed in 2010 Annual Study: UK Cost of a Data Breach was £1.9 million ($3.1 million), a 13 percent rise from 2009, equivalent to about £71 per lost record.

Of this sum, 48 percent can be attributed to ‘abnormal customer churn’ – customers that go elsewhere after hearing of the problem – while communicating with customers and resetting records is another 23 percent. Non-commercial organisations such as those in the public sector were found to suffer lower customer costs.

The most expensive breach uncovered by the survey cost a company £6.2 million to recover from, while the smallest costing £336,000, with the number of records lost or stolen ranging from 6,900 to 72,000.

However representative a snapshot, Symantec and Ponemon describe the breach cost numbers as giving a good idea of what it costs a typical company to deal with large data breaches, defined as between 1,000 and 100,000 records.

The report presents the deeper causes of data breaches in a rather convoluted manner (some causes can be related to more than one category), although ‘system breaches’ (security failures inside a company) are named as the top cause with a frequency of 37 percent of incidents, with third parties and negligence accounting for 34 percent each.

Malicious and criminal attacks account for 29 percent, but these are not surprisingly the most expensive to clear up at £80 per record.

“We continue to see an increase in the costs to businesses suffering a data breach,” said Ponemon Institute founder, Dr. Larry Ponemon. “Regulators are cracking down to ensure organisations implement required data security controls or face harsher penalties. Confronted with both malicious and non-malicious threats from inside and outside the organisation, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”